199018 – [GTK] fast/mediastream/RTCPeerConnection-add-removeTrack.html is crashing

Bug 199018 - [GTK] fast/mediastream/RTCPeerConnection-add-removeTrack.html is crashing

Summary: [GTK] fast/mediastream/RTCPeerConnection-add-removeTrack.html is crashing

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Thibault Saunier

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-06-19 11:03 PDT by Alicia Boya García
Modified:	2019-08-09 14:57 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (1.61 KB, patch) 2019-07-11 07:42 PDT, Thibault Saunier	no flags	Details \| Formatted Diff \| Diff
Patch (1.56 KB, patch) 2019-08-09 12:45 PDT, Thibault Saunier	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alicia Boya García 2019-06-19 11:03:12 PDT

fast/mediastream/RTCPeerConnection-add-removeTrack.html

Crashing since r246053:r246056

It seems the string is too long:

String String::fromUTF8(const LChar* stringStart, size_t length)
{
    if (length > MaxLength)
        CRASH();

Thread 1 (Thread 0x7f27550be9c0 (LWP 36070)):
#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:305
#1  0x00007f275ec97969 in WTF::String::fromUTF8(unsigned char const*, unsigned long) (stringStart="", length=139807294951298) at ../../Source/WTF/wtf/text/WTFString.cpp:846
#2  0x00007f276b014acb in WTF::String::fromUTF8(char const*, unsigned long) (characters=0x7fff1b898c00 "", length=139807294951298) at DerivedSources/ForwardingHeaders/wtf/text/WTFString.h:349
#3  0x00007f276ddbccdd in WebCore::fromStdString(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (value='\000' <repeats 24 times>, "\202\017'l'\177\000\000P\214\211\033\377\177\000\000\313J\001k'\177\000\000P\214\211\033\377\177\000\000\202\017'l'\177\000\000\000\214\211\033\377\177\000\000@\215\211\033\377\177\000\000\200\214\211\033\377\177\000\000\335\314\333m'\177\000\000\240\214\211\033\377\177\000\000@\215\211\033\377\177\000\000\275Ѳk'\177\000\000\275Ѳk'\177\000\000\340\214\211\033\377\177\000\000\205\310\333m'\177\000\000\240\225\022b&\177\000\000@\215\211\033\377\177\000\000\000\214\211\033\377\177\000\000\202\017'l'\177\000\000\000\000\000\000\000\000\000\000\240\063\000\354&\177\000\000\340\214\211\033\377\177\000\000"...) at ../../Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCUtils.h:57
#4  0x00007f276ddbc885 in WebCore::LibWebRTCRtpTransceiverBackend::mid() (this=0x7f26621295a0) at ../../Source/WebCore/Modules/mediastream/libwebrtc/LibWebRTCRtpTransceiverBackend.cpp:67
#5  0x00007f276c26e4aa in WebCore::RTCRtpTransceiver::mid() const (this=0x7f26ec003360) at ../../Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp:55
#6  0x00007f276bb2d190 in WebCore::jsRTCRtpTransceiverMidGetter (state=..., thisObject=..., throwScope=...) at DerivedSources/WebCore/JSRTCRtpTransceiver.cpp:217
#7  0x00007f276bb4c95a in WebCore::IDLAttribute<WebCore::JSRTCRtpTransceiver>::get<WebCore::jsRTCRtpTransceiverMidGetter, (WebCore::CastedThisErrorBehavior)3> (state=..., thisValue=139805210572384, attributeName=0x7f276f989bda "mid") at ../../Source/WebCore/bindings/js/JSDOMAttribute.h:69
#8  0x00007f276bb2d1eb in WebCore::jsRTCRtpTransceiverMid(JSC::ExecState*, long, JSC::PropertyName) (state=0x7fff1b8991f0, thisValue=139805210572384) at DerivedSources/WebCore/JSRTCRtpTransceiver.cpp:223
#9  0x00007f275e9350c9 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (this=0x7fff1b899040, exec=0x7fff1b8991f0, propertyName=...) at ../../Source/JavaScriptCore/runtime/PropertySlot.cpp:50
#10 0x00007f276b38f1c0 in JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const (this=0x7fff1b899040, exec=0x7fff1b8991f0, propertyName=...) at DerivedSources/ForwardingHeaders/JavaScriptCore/PropertySlot.h:414
#11 0x00007f276c5acb83 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const (this=0x7fff1b899088, exec=0x7fff1b8991f0, propertyName=..., slot=...) at DerivedSources/ForwardingHeaders/JavaScriptCore/JSCJSValueInlines.h:873
#12 0x00007f275e5de21a in JSC::LLInt::llint_slow_path_get_by_id (exec=0x7fff1b8991f0, pc=0x7f266211c33c) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:762
#13 0x00007f275e5c75ce in llint_op_get_by_id () from /home/slave/webkitgtk/gtk-linux-64-debug/build/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#14 0x0000000000000000 in ?? ()

Comment 1 Thibault Saunier 2019-07-11 07:42:22 PDT

Created attachment 373922 [details]
Patch

Comment 2 Carlos Alberto Lopez Perez 2019-07-11 08:11:54 PDT

Comment on attachment 373922 [details]
Patch

This is a gardening patch. It doesn't need review.
Simply change the "Reviewed by NOBODY (OOPS!)." by something that contains the word "unreviewed" Like "Unreviewed gardening patch" and commit it directly (if you are committer) or ask any comitter to just set the cq+ flag

Comment 3 Thibault Saunier 2019-08-09 12:45:29 PDT

Created attachment 375943 [details]
Patch

Comment 4 WebKit Commit Bot 2019-08-09 14:57:32 PDT

Comment on attachment 375943 [details]
Patch

Clearing flags on attachment: 375943

Committed r248479: <https://trac.webkit.org/changeset/248479>

Comment 5 WebKit Commit Bot 2019-08-09 14:57:34 PDT

All reviewed patches have been landed.  Closing bug.